|author||Tatiana Bradley <email@example.com>||Mon Nov 27 15:29:15 2023 -0500|
|committer||Tatiana Bradley <firstname.lastname@example.org>||Mon Nov 27 21:15:22 2023 +0000|
internal/report: fix bug in CVE5 generation Fixes a bug in which incorrect version ranges were sometimes generated when converting reports to CVE5. The bug happens when operating on a report with no fixed version. The problem is that the CVE JSON 5.0 format only allows version ranges of the form "versions X to Y are affected", "versions X to Y are NOT affected" or "version X is affected". It does not directly allow the statement "version X and above are affected" - this must be expressed as "version 0 through X are unaffected, all others are affected". This change allows that to be expressed. This bug became clear when we published GO-2023-2328. The CVE for that report is also re-generated as a part of this change. Change-Id: I0c61168581d65b13850d3a763a3300c04594b84c Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/545295 LUCI-TryBot-Result: Go LUCI <email@example.com> Reviewed-by: Damien Neil <firstname.lastname@example.org>
This repository contains the infrastructure and internal reports to create the Go Vulnerability Database.
Check out https://go.dev/security/vuln for more information about the Go vulnerability management system.
Click here to report a public vulnerability in the Go ecosystem, or give feedback about the project.
govulncheck can be found at https://vuln.go.dev/privacy.
Unless otherwise noted, the Go source files are distributed under the BSD-style license found in the LICENSE file.